Tutorial: Tutorial: Wireless Multicast Security Wireless Multicast Security Yan Sun University of Rhode Island May 15, 2006
Jan 08, 2016
Tutorial:Tutorial: Wireless Multicast SecurityWireless Multicast Security
Yan Sun
University of Rhode Island
May 15, 2006
Tutorial: Secure Wireless Multicast
Yan Sun
OutlineOutlinePart 1:
– Introduction on Secure Wireless Multicast Unicast vs. Multicast Security requirements for Multicast Challenges in Wireless Networks
Part 2:– Multicast Key Management
Generic Schemes Network-aware Key Management Application-aware Key Management New Security Concerns
– Multicast Authentication
Part 3: More on wireless multicast
Part 1. IntroductionPart 1. Introduction
Unicast vs. Multicast
Security requirements for Multicast– Key Management
– Multicast Authentication
Challenges in Wireless Networks
Tutorial: Secure Wireless Multicast
Yan Sun
Basic ConceptsBasic Concepts
Unicast: one-to-one
Multicast: one-to-many
Broadcast: one-to-all
WirelessMulticastSecurity
Tutorial: Secure Wireless Multicast
Yan Sun
UnicastUnicast
Point-to-point communication (Unicast) has been the dominant form of computer communication since the beginning of networking.
Distributing content, such as a popular movie, to a large audience over individual point-to-point connections is not efficient.– congestion
– wasting network resources
– Delay
Point-to-point communication faces scalability problem.
Tutorial: Secure Wireless Multicast
Yan Sun
MulticastMulticast
Orange circles represent endpoints, and green circles represent routing points.
Multicast
Multiple Unicast
Multicast is an essential mechanism to achieve scalable information distribution.
Tutorial: Secure Wireless Multicast
Yan Sun In unicast, there is a one-to-one association between network address and network endpoint: each destination address uniquely identifies a single receiver endpoint.
In multicast, there is a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, to which all information is replicated.
Tutorial: Secure Wireless Multicast
Yan Sun
Multicast ApplicationsMulticast Applications
Digital video and audio multicast over Internet, such as movie-on-demand and video conferences.
Widespread software distribution, such as anti-virus scanner update and security patch delivery.
Disseminating real-time financial market information to a large audience with various devices, including PDAs, cell phones, computers etc.
Transportation control where road traffic pattern or air traffic control information is distributed to many stations.
Multi-player games involving thousands of users simultaneously interacting in a virtual game world.
Tutorial: Secure Wireless Multicast
Yan Sun
Good News to Both SidesGood News to Both Sides
Advantage: Multicast can efficient distribute information to thousands or even millions of users.
However, multicast also creates opportunities for malicious packets to reach thousands or millions of users.
Challenge: how to maintain security with dynamic group membership
WirelessMulticastSecurity
Tutorial: Secure Wireless Multicast
Yan Sun
Security in Group CommunicationsSecurity in Group Communications
Confidentiality: non-group members cannot read the data
Integrity: data cannot be modified or deleted in any unauthorized way
Authentication: claimed sender is the actual sender
Access Control: only authorized parties can access the group communications
Non-repudiation: The sender cannot deny sending the message
No denial-of-service
Tutorial: Secure Wireless Multicast
Yan Sun
Access Control and ConfidentialityAccess Control and Confidentiality
Among all those requirements, access control is the first line of defense.
Basic approach:– Service provider encrypt the content using a key
– This key is shared among all legitimated group members, but not known by non-group members.
Encryption
Key Management– Dynamic groups: users joining and leaving
– How to generate and update the group key
Access ControlData confidentiality
Tutorial: Secure Wireless Multicast
Yan Sun
Key ManagementKey Management
Security requirements– Group key secrecy - non-group members cannot
obtain any group key.
– Backward secrecy - the join user cannot decrypt the content that was sent before his join.
– Forward secrecy - the departure/revoked user cannot decrypt the content that is sent after his deletion from the group.
Performance requirements– Low communication, computation and storage
overhead
– Scalability for large dynamic groups
– Reliable distribution of key update messages
Tutorial: Secure Wireless Multicast
Yan Sun
AuthenticationAuthentication
Asymmetric: Digital Signature– The sender sign the communication data using his
private key.
– The receiver verify the communication data using the sender’s public key.
– Inefficient due to high computation overhead
Symmetric: Message Authentication Code (MAC)– The sender and the receiver share a secret key,
and compute a message authentication code (MAC) of all communicated data.
– When a message with a correct MAC arrives, the receiver is assured that the sender generated that message.
– Efficient, but not secure in Multicast.
Tutorial: Secure Wireless Multicast
Yan Sun
Multicast AuthenticationMulticast Authentication
Design Goals:– Using symmetric authentication methods
– Ensure security
Tutorial: Secure Wireless Multicast
Yan Sun
Re-visit Security RequirementsRe-visit Security Requirements
Confidentiality: non-group members cannot read the data
Integrity: data cannot be modified or deleted in any unauthorized way
Authentication: claimed sender is the actual sender
Access Control: only authorized parties can access the group communications
Non-repudiation: The sender cannot deny sending the message
No denial-of-service
WirelessMulticastSecurity
D1
Tutorial: Secure Wireless Multicast
Yan Sun
Wireless MulticastWireless Multicast
Many future multicast services will take place in the wireless domain.
Challenges:
Communication aspects:– Resource limitation: bandwidth, power, etc.
– Diverse devices
– Packet loss due to transmission errors
– Mobility
Security aspects– Ease of snooping on wireless transmissions
– DoS attacks: Jamming, Fake collisions
WirelessMulticastSecurity
Tutorial: Secure Wireless Multicast
Yan Sun
Wireless Wireless Multicast Multicast
Unique Feature:
Broadcast nature of wireless media
D2
Tutorial: Secure Wireless Multicast
Yan Sun
History of Wireless TechnologiesHistory of Wireless Technologies
Marconi’s wireless telegraphy (Patented in 1896 in the UK.)
American inventor Reginald Fessenden completed the first true radio broadcast in 1906
AM radio, the first real wireless industrial, in 1920s. FM radio in 1930s.
First wireless phone system appears in US in 1970s.
First commercial GSM network began offering service in 1991.
Late 90s, Wireless LAN and Bluetooth. 802.11 standard was finalized in 1997.
……
Tutorial: Secure Wireless Multicast
Yan Sun
Design ConsiderationsDesign Considerations
Communication aspects:– Resource limitation: bandwidth, power, etc.
– Diverse devices
– Packet loss due to transmission errors
– Mobility
Security aspects– Ease of snooping on wireless transmissions
– DoS attacks: Jamming, Fake collisions
A potential powerful tool– Broadcast nature of wireless media
WirelessMulticastSecurity
Part 2(a). Group Key Management Part 2(a). Group Key Management
Generic Key Management Schemes Network-aware Key Management Application-aware Key Management New Security Concerns
Tutorial: Secure Wireless Multicast
Yan Sun
Key ManagementKey Management
Centralized schemes: relying on a trusted Key Distribution Center (KDC)
Contributory schemes: generating/updating keys in a distributed manner.
Generic KM
Network-aware KM
Application-aware KM
Other security concerns
Tutorial: Secure Wireless Multicast
Yan Sun
Centralized Key Management Centralized Key Management
Tutorial: Secure Wireless Multicast
Yan Sun
Simplest Centralized Key ManagementSimplest Centralized Key Management
KsSession
Key (SK)
u000 u001 u110 u111Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110 K111User
private keys
Ownership of the keys:KDC: knows all keysA User: the session key and its own private key
Data Distribution:Communication data is encrypted by the session key
Tutorial: Secure Wireless Multicast
Yan Sun
Key Update for User joinKey Update for User join
KsSession
Key (SK)
u000 u001 u110 u111Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110 K111User
private keys
When a user joins the service, The current group members receive rekeying messages
olds
news KK }{
The joining user receives through a secure unicast channel during registration.
newsK
Tutorial: Secure Wireless Multicast
Yan Sun
Key Update for User DepartureKey Update for User Departure
KsSession
Key (SK)
u000 u001 u110 u111Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110 K111User
private keys
)O(~ size message Rekeying N
110010001000
111
}{ ...,. , }{ ,}{, }{
service theleaves user
KKKKKKKK
unews
news
news
news
Tutorial: Secure Wireless Multicast
Yan Sun
Tree-based Key ManagementTree-based Key Management
An important class of centralized key management protocols employ logical tree structures to maintain keying materials
Tree-based KM protocols are considered to be scalable in terms of communication, computation and storage overhead
Tutorial: Secure Wireless Multicast
Yan Sun
Tree-based Centralized Key ManagementTree-based Centralized Key Management
KsSession
Key (SK)
u000 u001 u110 u111Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110 K111User
private keys
K00 K01 K10 K11
K0 K1
Key Encrypted
Keys(KEKs)
Keys: session key; users’ private key; key encrypted keys
Ownership of the keys:A user: the keys on the branch from itself to the root
Tutorial: Secure Wireless Multicast
Yan Sun
Operation for User JoinOperation for User Join
KsSession
Key (SK)
u000 u001 u110Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110User
private keys
K00 K01 K10 K11
K0 K1
Key Encrypted
Keys(KEKs)
u111
K111
Key server • generates new versions of Ks, K1 and K11, • encrypted them using old versions• send encrypted keys to all current users.
Tutorial: Secure Wireless Multicast
Yan Sun
Operation for User DepartureOperation for User Departure
KsSession
Key (SK)
u000 u001 u110 u111Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110 K111User
private keys
K00 K01 K10 K11
K0 K1
Key Encrypted
Keys(KEKs)
))(logO(2~ size message Rekeying 2 N
service theleaves user 111u 11011 }{ KK new
101 }{ KK new newnew KK 111 }{
0}{ KK news
newnews KK 1}{
D3
Tutorial: Secure Wireless Multicast
Yan Sun
Security Security
Security Goal: only authorized parties can access group comm.
Security Assumption:– No insiders are compromised. – Attackers cannot obtain other users’
private keys.– Attackers (who are non-group members)
cannot break the encryption.
Tutorial: Secure Wireless Multicast
Yan Sun
Variations of Tree-based SchemesVariations of Tree-based Schemes
VersaKey Framework improves the user joining operation.– new keys can be calculated through a one-way function
without sending rekeying messages.
– Key structure
{key ID, version number, revision number, key content}
One-way Function Tree (OFT)– the keys on the key tree are generated through one-way
functions, rather than arbitrarily determined by the KDC.
– This approach reduces the rekeying overhead from O(2 log(n)) to O(log(n)).
ELK– Instead of using one-way functions, ELK uses pseudo-
random functions to build and manipulate the keys. It also introduces hints, a small piece of information that improves reliability of rekeying.
Tutorial: Secure Wireless Multicast
Yan Sun Clustering– members are organized into a hierarchical
clustering structure. The cluster leaders are selected from group members and perform partial key management.
Tutorial: Secure Wireless Multicast
Yan Sun
Contributory Key ManagementContributory Key Management
In many scenarios, it is not preferred to rely on a centralized key server. – group members do not explicitly trust a single
entity;
– there are no servers or group members who have sufficient resources to maintain, generate and distribute keying information.
Contributory Key Management– Every group member participates key
establishment
– The group key contains contributions from all group members.
– The members’ personal keys are not disclosed to any other entities.
Tutorial: Secure Wireless Multicast
Yan Sun
Two-Party Diffie-HellmannTwo-Party Diffie-Hellmann
– Alice and Bob select a large prime number p and a primitive root α (mod p). Both p and α can be made public.
– Alice choose a secrete : x with 1 x p-2Bob choose a secrete: y with 1 x p-2
– Alice send αx (mod p) to BobBob send αy (mod p) to Alice
– Alice Calculates K = ( αy )x (mod p)– Bob Calculates K = ( αx )y (mod p)
Alice Bobαx (mod p)
αy (mod p)
K = αyx (mod p) K = αyx (mod p)
x y
Tutorial: Secure Wireless Multicast
Yan Sun
Group Diffie-HellmannGroup Diffie-Hellmann
Ingemarsson et al. first introduced a conference key distribution system based on a ring topology.
Steiner et al. extended the two-party Diffie-Hellman (DH) protocol and proposed group Diffie-Hellman protocols GDH.1/2/3
Logical tree structure is also used in the contributory setting by Kim et al in TGDH, and by Dondeti et al in DISEC.
Tutorial: Secure Wireless Multicast
Yan Sun
Tree-based Contributory SchemeTree-based Contributory Scheme
Tutorial: Secure Wireless Multicast
Yan Sun
Network-aware Key ManagementNetwork-aware Key Management
Wireless Multicast
In the future, many group communications will take place in the wireless domain.
Wireless scenario poses additional challenges on the key management,
High error rate Limited bandwidth
Rekeying messages need to be delivered reliably and in a timely manner.
Communication-efficient key management schemes are motivated.
Generic KM
Network-aware KM
Application-aware KM
Other security concerns
Tutorial: Secure Wireless Multicast
Yan Sun
Re-Visit Tree-based ApproachRe-Visit Tree-based Approach
KsSession
Key (SK)
u000 u001 u110 u111Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110 K111User
private keys
K00 K01 K10 K11
K0 K1
))O(log(~ size message Rekeying N
service theleaves user 111u
11011 }{ KK new
101 }{ KK new newnew KK 111 }{
0}{ KK news
newnews KK 1}{
Key Encrypted
Keys(KEKs)
Tutorial: Secure Wireless Multicast
Yan Sun
Topology-aware Key Management Topology-aware Key Management
Observation– Most rekeying messages are only
useful for a subset of users. Ideas
– To match the key tree with the network topology,
– To localize the transmission of rekeying messages.
Goal:– To reduce the communication overhead– To improve reliability of key distribution
Tutorial: Secure Wireless Multicast
Yan Sun
Cellular Network TopologyCellular Network Topology
Tutorial: Secure Wireless Multicast
Yan Sun
Topology-Matching Key TreeTopology-Matching Key Tree
Step1: user-subtrees
Step2: BS-subtrees
Step3: SH-subtree
Tutorial: Secure Wireless Multicast
Yan Sun
Handoff Scheme for TMKMHandoff Scheme for TMKM
In mobile environment, the user will handoff to different BSs while maintaining his subscription to the group.
Handoffs cause users’ relocation on the TMKM tree.
A simple solutions: – when a user moves from cell i to cell j, he can
be treated as if he leaves the service from cell i, and join the service again to cell j.
Handoff can be done efficiently – Do not update keys immediately after handoffs.– Allow users to have more than one set of valid
keys– When a user leaves the service, update all his
keys.
Tutorial: Secure Wireless Multicast
Yan Sun
Two Effects of TMKMTwo Effects of TMKM
Marching Key tree to Network Topology
Localizing transmission of rekeying messages – reducing the comm. cost of sending one rekeying message.
Handoff – may need to update more than one set of keys when a user leaves
Tutorial: Secure Wireless Multicast
Yan Sun
Performance MeasurementPerformance Measurement
SH
BS BS BS BS
wireline-message-size :
the amount of the rekeying messages multicast to the BSs;
wireless-message-size :
the amount of the rekeying messages broadcast by BSs.(broadcast nature)
Tutorial: Secure Wireless Multicast
Yan Sun
1 2 3 4 5 6 7 8 90
2
4
6x 10
7
wir
ele
ss c
ost
multiple SH, R=4 mile, Vmax
=50 mile/hr, 1/ = 20 minute
1 2 3 4 5 6 7 8 90
2
4
6x 10
6w
ire
line
cost
1 2 3 4 5 6 7 8 90.2
0.3
0.4
0.5
the number of SH
per
form
anc
e ra
tio
TIKMTMKM
TIKMTMKM
= TMKM/TIKM
PerformancePerformance
Tutorial: Secure Wireless Multicast
Yan Sun
ScalabilityScalability
Scalability: when the number of SH (N) increases
Reliability is also improved.
NMp NMp)-(1-1
messages) rekeying all receivenot doesuser oneleast at Pr(
Tutorial: Secure Wireless Multicast
Yan Sun
Application-aware Key ManagementApplication-aware Key Management
Generic KM
Network-aware KM
Application-aware KM
Other security concerns
Applications: many multimedia group communications contains multiple data streams. For example, – a multicast program containing several related
services. Users can subscribe one or multiple services.
– In military applications, access privilege depends on the rank.
How to management keys when group members have different levels of access privilege?
Tutorial: Secure Wireless Multicast
Yan Sun
Example 1Example 1
Basic Comm. Advanced Comm.
Top Secret Comm.
Lowest Access Level
Moderate Access Level Highest Access Level
Data Group (DG): users that receive the same single multicast data stream
Service Group (SG): users that have the same access privilege
Tutorial: Secure Wireless Multicast
Yan Sun How many multicast sessions?
How to encrypt the multicast content?
How to manage keys?
Ks
Session Key (SK)
u000 u001 u110 u111Users u010 u011 u100 u101
K000 K001 K010 K011 K100 K101 K110 K111
User private keys
K00 K01 K10 K11
K0 K1
Tutorial: Secure Wireless Multicast
Yan Sun
Another Application ExampleAnother Application Example
Data Group (DG): Channel 1, channel 2 and channel 3
Service Group (SG): users who subscribe channel-- {1}, {2}, {3}, {1,2}, {1,3}, {2, 3}, {1,2,3}
Tutorial: Secure Wireless Multicast
Yan Sun
A Simple SolutionA Simple Solution
DK3
DK2
DK1
A separate tree is constructed for each DG
},,{ have some
};,{ have users some };{ have users some
secrete. pencrypt to toused is
comm. advancedencrypt toused is
comm. basicencrypt toused is
321
211
3
2
1
DDD
DDD
D
D
D
KKK
KKK
K
K
K
Tutorial: Secure Wireless Multicast
Yan Sun
A Better SolutionA Better Solution
Construct Key tree/graph based on SGs
SK }100{SK }110{
SK }111{
STEP 2. For each SG, construct a SG-subtree
STEP 1. For each DG, generate an data group key
DK3DK2
DK1
DK2DK3
DK1STEP 3. Connect the root of SG-subtrees and the data group keys
SK }100{SK }110{
SK }111{
Tutorial: Secure Wireless Multicast
Yan Sun
Key Update AlgorithmKey Update Algorithm
DK1DK2
DK3
SK }100{SK }110{
SK }111{
secrecy
forward
ensure to
keys update
secrecy
backward ensure
tokeys update1D 3D2D
}111{S}110{S}100{S
Tutorial: Secure Wireless Multicast
Yan Sun
Advantages of Key GraphAdvantages of Key Graph
Reduce storage overhead
Reduce communication overhead
Improve scalability
2
1
managementkey group-multi of overhead Storage
managementkey based- treeof overhead Storagelim0
M
N
Tutorial: Secure Wireless Multicast
Yan Sun
Other Security ConcernsOther Security Concerns
Key Management:
Protect multicast content from unauthorized access
Meanwhile, key management can disclose the information about dynamic group membership.
-- Number of users in a multicast group
-- Number of joining and departure users in a certain time interval.
Generic KM
Network-aware KM
Application-aware KM
Other security concerns
Tutorial: Secure Wireless Multicast
Yan Sun
Is this a security problem?Is this a security problem?
Group communication content and Group dynamic information (GDI) are two different types of information.
In commercial applications, GDI helps the competitors to analyze the audience behavior and develop efficient competition strategies.
In some other applications, GDI may represent network deployment information.
Tutorial: Secure Wireless Multicast
Yan Sun
Application Example 1Application Example 1
GDI has commercial value in future multicast services.
Because of efficient key management, a user can have flexibility to subscribe to an arbitrary set of programs, and changes his subscription at any time. The user will pay for what exactly he/she gets.
Viewers’ statistics, i.e. GDI, has commercial value.
Service provider A knows its own GDI, but does not wants to reveal GDI to its competitor service provider B.
GDI should also be protected against insiders.
Tutorial: Secure Wireless Multicast
Yan Sun
Application Example 2Application Example 2
GDI may represent sensitive information
The base station sends many broadcast messages to sensors.
GDI represents the number of sensors deployed in an area.
Broadcast content contains mostly control messages.
Malicious users should not be able to acquire GDI from compromised sensors.
Tutorial: Secure Wireless Multicast
Yan Sun
Group Dynamic InformationGroup Dynamic Information
Group Dynamic Information (GDI)
– N(t): the number of users in the group at time t
– J(t0, t1) : the number of users who join the group in time interval [t0, t1].
– L(t0, t1) : the number of users who leave the group in time interval [t0, t1].
D4
Tutorial: Secure Wireless Multicast
Yan Sun
Attack 1 Attack 1
[A1] Obtain J(t0, t1) and L(t0, t1) from the format of rekeying messages.
Ks
K
u000 u001 u110 u111...
K000K001 K010
K011K100 K101 K110 K111
K00K01 K10 K11
K0 K1
Session
Key (SK)
Key Encrypted
Keys(KEKs)
Users private
keys
}{ 1111newold KK
}{ 11newold KK
}{ newold KK
}{ news
new KK
u111 join
u111 leave
}{ 11110newKK
}{ 110newKK
}{ news
new KK
}{ 111newnew KK
}{0newKK }{1
newnew KK
Tutorial: Secure Wireless Multicast
Yan Sun
Assumptions:– N(t) do not vary much in a short time period
– The joining users are always put on the shortest branch of the key tree.
– The key tree is full loaded and has the fixed degree d.
– A user’s departure behavior is independent of others.
– The leaving users are uniformly distributed on the key tree.
Notations:– The attacker has W observations: {m1, m2, … mw}
Maximum Likelihood estimator
Attack 2Attack 2
})(|},...,,Pr{{maxarg)( 21 ntNmmmtN Wn
ML
[A2] Estimate N(t) directly from the size of the rekeying messages.
Tutorial: Secure Wireless Multicast
Yan Sun
It is an effective attack!It is an effective attack!
(a)(b)(c) simulated multicast groups; (d) a real MBone audio session.
Tutorial: Secure Wireless Multicast
Yan Sun
Attack 3Attack 3
Key IDs are send in clear text
{Kx}Ky
[ y, version_num(Ky), revision-number(Ky),
{x, version_num(Kx), revision_num(Kx), Kx }Ky ]
Key ID can tell the structure of the key tree
The frequency of a key ID appears can tell the number of users under this node.
Tutorial: Secure Wireless Multicast
Yan Sun
Key ID-based Reveals Group SizeKey ID-based Reveals Group Size
P(K00) = P(K01) P(K10) = P(K11)
Tutorial: Secure Wireless Multicast
Yan Sun
Key ID-based Reveals Group SizeKey ID-based Reveals Group Size
P(K00) = P(K01) P(K10) = P(K11)
P(K1) = 1 - ( 1 - P(K11)) ( 1 - P(K00))
>P(K00)
Tutorial: Secure Wireless Multicast
Yan Sun
ComparisonComparison
A1 – format of rekeying messages
A2 – size of the rekeying messages
A3 – ID of the keys
D5
Tutorial: Secure Wireless Multicast
Yan Sun
Vulnerability of Popular SchemesVulnerability of Popular Schemes
Centralized Key Management Schemes Straight- forward?
A2 effective?
A1 Effective?
Key Graph [1] No Yes Yes Wallner [2] No Yes Yes Tree-based VersaKey [3][4] No Yes Yes One-way function tree [5] No Yes No Improve Key Revocation [6] No Yes No ELK[7] No Yes --
Tree Based
Trappe: Embedding [8] No Yes Yes Security lock [9] Yes -- --
No No No Flat
Flat VersaKey [3][4] Not resist to collusion attacks
Iolus [10] No Local Local No No No
Local security agents
Cluster [11] GDI is transparent to cluster leaders, who compose about ¼ of total users. No No No Others Subset differences Extremely inefficient when T>>N
Tutorial: Secure Wireless Multicast
Yan Sun
Anti-attack techniquesAnti-attack techniques
Batch Rekeying – remove GDI in time domain
update keys periodically– Reducing the communication overhead
– Resistant to attack [A1], but not resistant to attack [A2] and [A3]
Phantom Users – remove GDI in message domain
Phantom users as well as their join and departure behavior, are created by the KDC.– Generate the artificial GDI
– The observed rekey process only reveals artificial GDI.
Tutorial: Secure Wireless Multicast
Yan Sun
Anti-attack techniquesAnti-attack techniques
Real GDI Artificial GDI Rekeying Process
Tutorial: Secure Wireless Multicast
Yan Sun
Real GDI and Artificial GDIReal GDI and Artificial GDI
N0
L0
L0
Tutorial: Secure Wireless Multicast
Yan Sun
Communication OverheadCommunication Overhead
Communication overhead– L0 : the total number of real and phantom join/departure users.
– N0 : the total number of real the phantom users.
Tutorial: Secure Wireless Multicast
Yan Sun
SecuritySecurity
Leakage of GDI:– Mutual information between the real GDI and artificial GDI.
Tutorial: Secure Wireless Multicast
Yan Sun
OptimizationOptimization
Choose L0 and N0 such that the leakage of GDI is minimize given the communication overhead constraint.
Tutorial: Secure Wireless Multicast
Yan Sun
TradeoffTradeoff
Tutorial: Secure Wireless Multicast
Yan Sun
GDI in Distributed EnvironmentsGDI in Distributed Environments
In many distributed key management schemes, group members must know GDI to perform
admission control key chain/ring/tree generation. group key establishment
The inside/outside attackers can also obtain GDI from the size of messages containing key materials.
General Suggestion: Contributory Schemes are not suitable for applications with confidential GDI.
Part 2(b). Multicast AuthenticationPart 2(b). Multicast Authentication
Review Digital Signature and MAC
Security problem of using MAC in Multicast
TESLA
Tutorial: Secure Wireless Multicast
Yan Sun
Public Key and Privacy KeyPublic Key and Privacy Key
Bob
(Bob's public key) (Bob's private key)
Bob has been given two keys. One of Bob's keys is called a Public Key, the other is called a Private Key.
Bob's Co-workers:
Pat Doug Susan
Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself
Digital Signature
MAC
TESLA
Tutorial: Secure Wireless Multicast
Yan Sun
Signature GenerationSignature Generation
Step 1:
Step 2:
Tutorial: Secure Wireless Multicast
Yan Sun
Step 3:
Tutorial: Secure Wireless Multicast
Yan Sun
Signature VerificationSignature Verification
Tutorial: Secure Wireless Multicast
Yan Sun
Message Authentication CodeMessage Authentication Code
MAC is an authentication tag derived by applying an authentication scheme, together with a secret key, to a message.
Unlike digital signatures, MACs are computed and verified with the same key.
Hash function-based MACs (often called HMACs) use a key or keys in conjunction with a hash function to produce a checksum that is appended to the message
Digital Signature
MAC
TESLA
Tutorial: Secure Wireless Multicast
Yan Sun
Authentication in UnicastAuthentication in Unicast
In unicast,– Alice is going to send many packets to Bob. Bob
wants to make sure that these packets are really from Alice.
– Alice and Bob first establish a shared key K.
– For each packet, Alice generates a MAC using key K. Alice send the packet together with the MAC.
– Bob verifies
The received MAC is generated based on the received packet.
The MAC is generated using key K.– Since Alice is the only one (besides Bob) who has
the key K, the packet must be from Alice and has not been modified by others.
Tutorial: Secure Wireless Multicast
Yan Sun
Authentication in UnicastAuthentication in Unicast
Alice
Bob
K
K
M, MAC(K,M)
Tutorial: Secure Wireless Multicast
Yan Sun
Authentication for MulticastAuthentication for Multicast
Alice
Bob
K
KEve
K
M, MAC(K,M) M, MAC(K,M)
M', MAC(K,M')
Append MAC, computed using a shared key, to Append MAC, computed using a shared key, to each packet. each packet.
any receiver that has the shared key can any receiver that has the shared key can impersonate the senderimpersonate the sender
Tutorial: Secure Wireless Multicast
Yan Sun
TESLA OverviewTESLA Overview
Use “symmetric cryptography”, using MAC
Delay disclosure of keys by the sender
Sender
- attach to each packet, MAC computed using a key ‘k’ known only to itself.
Receiver
- buffers packet without being able to authenticate
- a short while later, sender discloses ‘k’ and the receiver is able to authenticate the packet.
- packets that are received too late are discarded.
Comments A single MAC per packet suffices to produce “source
authentication” Both sender and receivers are time synchronized.
Digital Signature
MAC
TESLA
Tutorial: Secure Wireless Multicast
Yan Sun
TESLA DetailsTESLA Details
One-way key chain– Each sender chooses random initial key KN,
generates one-way key chain as
KN-1 = H (KN); KN-2 = H (KN-1), ….
Schedule for disclosing keys– Sender pre-determines the schedule
– For example, disclose Ki at Ti = T0 + i t
Receiver can determine which key is disclosed– Based on loose time synchronization()
– Sender picks Ki which will not be disclosed until + 2 time passes and add MAC using Ki
– Receiver discard the packet if security condition fails
Tutorial: Secure Wireless Multicast
Yan Sun
TESLA Security ConditionTESLA Security Condition
The receiver will reject a packet whose MAC is generated using Ki if security condition fails.
TESLA security condition
– Ki used to authenticate a packet cannot have been disclosed yet
– For example, if arrival time is tr and earliest time to disclose Ki is t0 + i t, then tr t0 + i t - implies Ki is not disclosed yet
– t is small may discard some packetst is large long delay for authenticationt does not affect security
Tutorial: Secure Wireless Multicast
Yan Sun
ExampleExample
tTime 4 Time 5 Time 6 Time 7
P2
K5
P1Receiververify MAC
K4 K5 K6 K7K3FF FF
Tutorial: Secure Wireless Multicast
Yan Sun
Robustness Against Packet LossRobustness Against Packet Loss
tTime 4 Time 5 Time 6 Time 7
P5
K5
P3P2P1
Verify MACs
P4
K4
K4 K5 K6 K7K3FF FF
Receivers derive K4 from K5
Part 3. More on Wireless MulticastPart 3. More on Wireless Multicast
More on Wireless Multicast,
More on Research,and a Future Research Direction
Tutorial: Secure Wireless Multicast
Yan Sun
Research OpportunitiesResearch Opportunities
Wireless
Unicast
Multicast
Security
Application
Tutorial: Secure Wireless Multicast
Yan Sun
Wireless Multicast with TDWireless Multicast with TD
Using adaptive antenna array can provide Transmit diversity.
Transmit Diversity (TD) is well known for improving performance in point-to-point communication between two wireless devices
A question initiated a research topic:
Can adaptive antenna array improves the performance of wireless multicast?
Tutorial: Secure Wireless Multicast
Yan Sun
Performance of Multicast Performance of Multicast BeamformingBeamforming
N , BER M , BER
Tutorial: Secure Wireless Multicast
Yan Sun
Wireless Multicast with TDWireless Multicast with TD
Transmit Diversity (TD) – Close loop method: Beamforming,
– Open loop method: Space time coding
For unicast communication– When perfect channel information is available at
the transmitter, beamforming is better.
– When channel information is not available/accurate, STC is better.
More questions– How can transmit antenna array help wireless
multicast?
– Comparison among Transmit Diversity (TD) techniques.
Tutorial: Secure Wireless Multicast
Yan Sun
Space-time coding vs. BeamformingSpace-time coding vs. Beamforming
Decoding BER vs. Transmission SNR
M=2N=2,4,6,8,12,20
Tutorial: Secure Wireless Multicast
Yan Sun
ResultsResults
Beamforming can improve performance of wireless multicast.
Two TD techniques: Beamforming and Space-time-coding– When the group size exceed a certain
threshold, using STC. Otherwise, using beamforming
What can be done– Jointly apply both TD technqiues
– Joining design beamforming and STC.
Tutorial: Secure Wireless Multicast
Yan Sun
Profound ImpactProfound Impact
The physically layer TD techniques will pose important influence on multicast routing in ad hoc networks.
How will this affects security?
Tutorial: Secure Wireless Multicast
Yan Sun
A Future Research DirectionA Future Research Direction
How does the physical layer techniques influent upper layer protocols?
Adaptive antenna array new requirement for MAC and Routing
Collaborative communication …..
Security is always a concern
Antenna array hurting or helping?
in terms of security